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IIVTHE CLAIMS 



1 . (currently amended) A method of detecting an intrusion in a communications 
network, the method comprising the steps of: 

scanning data packet s bv a first computer system to which the data packets are directed, 
wherein the scanning includes the computer system processing the packe ts procc33cd b y a 
transport layer of a network protocol associated with said communications network using 
signatures from a repository of said signatures; 

determining if said scanned data packets are malicious; and 

taking at least one action if any c£th<edata packets are determined to be malicious^ 
wherein at least one application receive queue f ARO) functions intermediate said transport layer 
and an application layer of the first computer system to provide a queue for data from the data 
packets to a first application on the first computer system, wherein the scanning of the respective 
data packets .occurs before th e first application receives the data from the respective data 
packets, and wherein said scanning step is selected from the group consisting of: 

scanning between said transport layer and said at least one ARQ: and 

SgJflning the data packet? fro!" $ajd at lea$t one ARQ. 

2. (currently amended) The method according to claim 1 , wherein said at least one 
action is selected from the group consisting of: 

interrupting transmission of any data packets determined to be malicious to said 
application layer of said network protoco l, wherein the interrupting is performe d prior to 
the first application processing the malicious data packets : 

logging of errors related to any data packets determined to be malicious; 

modifying firewall rules of a host computer if any data packets are determined to 
be malicious; 

informing a network administrator of any data packets that are determined to be 
malicious; 

intimating said transport layer terminate an existing connection related to any 
data packets determined to be malicious; 
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blocking network access to a source of any data packets determined to be 

malicious; 

terminating /in apptieatiofl t he first amplication o f an applicat i on laycH f any data 
packets are determined to be malicious; and 

notifying an application of an application layer if any data packets are determined 
to be malicious. 

3. (original) The method according to claim 1 , further comprising the step of 
transmitting to said application layer any data packets determined not to be malicious. 

4. (original) The method according to claim 1 , wherein said scanning and 
determining steps are implemented using a scan module. 

5-6. (canceled) 

7. (currently amended) The method according to claim 1 , ^-further comprising the 
step of obtaining data from said at least one application receive queue (ARQ). 

8. (canceled ) 

9. (original) The method according to claim 1 , farther comprising the step of 
dispatching said data packets to one or more handlers for scanning, if said protocol is monitored. 

1 0. (original) The method according to claim 1 , wherein said scanning and 
determining steps are implemented using a scan daemon. 

1 1 . (currently amended) The method according to claim 1 , further comprising the 
step of the target computer system g enerating fake , network-accessible service s rc3Pon3o?L 
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12. (withdrawn) A method of preventing an intrusion in a communications network 
the method comprising the steps of: 

disabling a network interface of a host if an idle time expires; 
determining if any packets are to be transmitted; and 

enabling said network interface if at least one packet is determined to be available to be 
transmitted. 

1 3. (currently amended) A system for detecting an intrusion in a communications 
network, the system comprising: 

a storage unit for storing data and instructions for a processing unit; and 
a processing unit coupled to said storage unit, said processing unit being programmed to 
scan data packets bv a first computer system to which the data packets are directed, wherein the 
^canning includes t|ie computer system processing the packets p r ocessed by a transport layer of a 
network protocol associated with said communications network using signatures from a 
repository of said signatures, to determine jf said scanned data packets are malicious, and to take 
at least one action if any of the d ata packets are determined to be malicious , wherein at least one 
application receive queue fARO) functionj? Intermediate said transport layer and an application 
layer of the fast CQmputer system tp pro vide a queue for data fjrojrp the data packet? tQ a first 
application on the first computer system, wherein the scanning of the resnective data packets 
occur? before the first application receives the data from the respective data packets, and 
wherein said scanning step is selected from the group consisting of: 

scanning between said transport layer and said at least one ARO: and 

scanning the data pacfret§ from gajd at jeagt Qfle ARQ. 

1 4. (currently amended) The system according to claim 1 3, wherein said at least one 
action is selected from the group consisting of: 

interrupting transmission of any data packets determined to be malicious to said 
application layer of said network protocol wherein the interrupting is performed prior to the first 
a pplication processing the malicious data packets ; 

logging of errors related to any data packets determined to be malicious; 
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modifying firewall rules of a host computer if any data packets are determined to be 
malicious; 

informing a network administrator of any data packets that are determined to be 
malicious; 

intimating said transport layer terminate an existing connection related to any data 
packets determined to be malicious; 

blocking network access to a source of any data packets determined to be malicious; 

terminating the first application an application of an appl i cation layer if any data packets 
are determined to be malicious; and 

notifying an application of an application layer if any data packets are determined to be 
malicious. 

1 5. (original) The system according to claim 13, wherein said processing unit is 
: programmed to transmit to said application layer any data packets determined not to be 

malicious. 

1 6. (original) The system according to claim 1 3, wherein said processing unit is 
programmed to implement a scan module, 

17-18. (canceled) 

i 9. (currently amended) The system according to claim 13+?, wherein said 
processing unit is programmed to obtain data from said at least one application receive queue 
(ARQ). 

20. (original) The system according to claim 19, wherein said scanning is performed 
on data packets from said at least one application receive queue (ARQ). 
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2 1 . (original) The system according to claim 1 3, wherein said processing unit is 
programmed to dispatch said data packets to one or more handlers for scanning, if said protocol 
is monitored. 

22. (original) The system according to claim 1 3, wherein said scanning and 
determining are implemented using a scan daemon. 

23. (currently amended) The system according to claim 13, wherein said processing 
j unit is programmed to generate fake , network-accessible service s response s. 

24. (withdrawn) A system of preventing an intrusion in a communications network, 
the system comprising: 

a storage unit for storing data and instructions for a processing unit; and 
a processing unit coupled to said storage unit, said processing unit being programmed 
to disable a network interface of a host if an idle time expires, to determine if any packets are to 
be transmitted, and to enable said network interface if at least one packet is determined to be 
available to be transmitted. 

25. (currently amended) A computer -r eadable med i um containing programmed 
tfrat re reti w s' flre^ intru s i on i n a commun i cations network, the computer - readable 
me di um - comprising * A computer program product stgred on a computer-readable storage 
medium, the computer program product having instructions for execution bv a computer. 
wherein the instructions, when executed hv the computer, cause the computer to implement a 
method comprising the steps of: 

programmed i nstruction for s canning data packets bv a first computer system to which 
the data packets are directed, wherein the scanning includes the computer system processing the 
packets processed by a transport layer of a network protocol associated with said 
communications network using signatures from a repository of said signatures; 

programmed instruct i on for d etermining if said scanned data packets are malicious; and 
p r offlammcd - itt a tractions for t aking at least one action if any of the d ata packets are 
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determined to be maliciou s, wherein at least o ne application receive queue (ARC?) function? 
intermediate said transport laver and an applicatio n laver of the first computer system tq provide 
a queue for data from the data packets to a first application on the first computer system, 
wherein the scanning of the respective data packets occurs before the first application receives 
the data from the respective data packets, and wherein sa id scanning step is selected from the 
group consisting of: 

scanning between said transport laver and said at least one ARQ; and 

scanning the data packets from said at least one ARQ - 

26. (currently amended) The computer program product computer - readable medium 
according to claim 25, wherein said at least one action is selected from the group consisting of: 

interrupting transmission of any data packets determined to be malicious to said 
application layer of said network protoco l wherein the interrupting is performed prior to the first 
application processing the malicious data packets ; 

logging of errors related to any data packets determined to be malicious; 

modifying firewall rules of a host computer if any data packets are determined to be 
malicious; 

informing a network administrator of any data packets that are determined to be 
malicious; 

intimating said transport layer terminate an existing connection related to any data 
packets determined to be malicious; 

blocking network access to a source of any data packets determined to be malicious; 

terminating the first application an application of an application layer if any data packets 
are determined to be malicious; and 

notifying an application of an application layer if any data packets are determ ined to be 
malicious. 

27. (currently amended) The computer program product e ompttt^^^ftlHisiwdwin 
according to claim 25, the steps fa rther comprising programmed instruction s fo r transmitting to 
said application layer any data packets determined not to be malicious. 
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28. (currently amended) The computet- pro gram product u j m u utu readable medium 
according to claim 25, wherein said programm e d in3tructiom for -scanning and determining are 
implemented using a scan module. 

29-30. (canceled) 

3 1 . (currentl y amended) Th e computer program product c omputer - readable medium 
according to claim 25 , the steps further comprising programmed i nstniction fr' for -^btai ning data 
from said at least one application receive queue (A.RQ). 

32. (canceled) 

33. (currently amended) The computer program product computcrTca d abk medium 
according to claim 25, the steps further comprising programmed instructions for dispatching 
said data packets to one or move handlers for scanning, if said protocol is monitored. 

34. (currently amended) The computer program product c ompute r- readable medium 
according to claim 25, wherein said scanning and determining are implemented using a scan 
daemon. 

35. (withdrawn) A computer-readable medium of preventing an intrusion in a 
communications network, the computer-readable medium comprising: 

programmed instructions for disabling a network interface of a host if an idle time 
expires; 

programmed instructions for determining if any packets are to be transmitted; and 
programmed instructions for enabling said network interface if at least one pac/cet is 
determined to be available to be transmitted. 
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